Facts and myths about HIPAA
Below is a brief discussion of some of the key facts about the HIPAA Privacy Rule and some misconceptions that people may have about it.
To learn more, visit www.hhs.gov/ocr/privacy
General information about HIPAA
Most, but not all, health care providers must follow the HIPAA Privacy Rule. All health insurers and companies called health care clearinghouses must also follow the HIPAA Privacy Rule.
The HIPAA Privacy Rule gives individuals some new rights concerning their health information, called “Protected Health Information” (PHI).
Individuals who receive health care from a provider covered by the HIPAA Privacy Rule will be given a notice of the provider’s privacy practices. The provider is required to get the individual’s written acknowledgement that he or she has received the notice. Privacy notices are very long because the HIPAA Privacy Rule requires many specific statements to be included in them. Some of Community Health Network's providers have developed a one-page summary of their privacy practices, which may be given out along with the privacy notice to make the privacy notice easier to understand.
The HIPAA Privacy Rule is not intended to create barriers that would inhibit health care for patients. Health care providers may communicate freely with patients and each other when sharing PHI is needed for treatment purposes.
For purposes other than treatment, health care providers may use or share only the least amount of PHI needed to do the job.
If you are under a provider’s care, the health care provider may share information about you with your family, friends or other people who are involved in your care or payment for your care. However, providers must take steps to make sure the person is who they say they are and that they are entitled to the information about you. This is especially true if someone calls on the telephone to ask about you. The person may be referred to you or to a single designated family member to get detailed information about you.
Myths about HIPAA
Myth: Physicians and hospitals can't use sign-in sheets and can't call out patients' names in waiting rooms.
Truth: The HIPAA Privacy Rule does not prevent a health care provider from calling out your name in a waiting room or from having a sign-in sheet that asks for limited information about you, such as your name and appointment time.
Myth: Patients' names cannot be posted outside their rooms.
Truth: Hospitals and nursing homes are not prevented from putting a patient’s name outside the door of his or her room. Patient names outside rooms are often needed for patient safety reasons and for the convenience of friends, family and the patient.
Myth: Nurses and physicians can't talk about patients where someone might overhear.
Truth: The HIPAA Privacy Rule does not prevent nurses and doctors from talking about patients in a nurses’ station or a hallway.
Myth: Health care providers must get written permission to share patients' health information for any reason.
Truth: Health care providers are not required to get your written permission to share information about you for your care and treatment, for payment for your care or for the provider’s health care operations (running the provider’s business). Often, we may use external companies to help us carry out our treatment, payment and health care operations. These organizations are considered to be our business associates and are held to the same privacy standards as we are. Sharing protected health information with an outside company that is acting on our behalf is not a violation of the Privacy Rule. Examples of services provided by our business associates include billing services, collection services, legal services, patient satisfaction surveys and medical record copying services.
Myth: Individuals have a right to get a record of everyone who has looked at their health information.
Truth: Individuals have a new right to request a record of some, but not all, disclosures a health care provider or health insurer makes outside of the organization. This record is called an accounting of disclosures. The list will not include any disclosures:
- Made before April 14, 2003
- For national security purposes
- For treatment, payment or operations purposes
- Through a facility directory
- To law enforcement officials or correctional facilities
- Previously authorized in writing by the individual
The accounting of disclosures will not list every employee or physician who viewed an individual’s medical records.